Microsoft has recently concluded its investigation into the Storm-0558 cyberattack, revealing the method used by the Chinese threat actor to infiltrate US government email accounts. Two months prior, a Chinese hacking group, Storm-0558, successfully breached over two dozen Microsoft email accounts. These accounts were associated with various Western organizations, including several US government agencies.
The hackers utilized a previously obtained Microsoft account (MSA) consumer key to forge tokens, thereby gaining access to OWA and Outlook.com. The lingering question, however, was how the hackers managed to obtain this consumer key. Microsoft’s thorough investigation has now provided an answer. The key was found in a consumer signing system crash dump dating back to April 2021. Microsoft clarified that the crash dumps, which typically redact sensitive information, should not have included the signing key. In this instance, a race condition allowed the key to be present in the crash dump, an issue that has since been rectified.
The presence of the key material in the crash dump was not detected by Microsoft’s systems, another issue that has been addressed. Following the crash, the dump was transferred to Microsoft’s debugging environment on its internet-connected corporate network, a standard procedure in the company’s debugging process. However, this move exposed it to potential theft. In the months after the crash dump’s creation, a member of Storm-0558 managed to acquire a Microsoft corporate account belonging to an engineer. With access to the debugging environment, they were able to retrieve the crash dump from one of the endpoints.
Microsoft stated, “Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.” In response to the breach, Microsoft revoked all valid MSA signing keys, effectively locking out the hackers. This incident underscores the importance of stringent cybersecurity measures in the face of increasingly sophisticated threats.